Zoom’s video conferencing service is used by Nasdaq, the Centers for Disease Control and Prevention, the US Department of Homeland Security, and the US Department of Energy, among others.
Video conferencing service Zoom left millions of users exposed to a security flaw that could allow attackers easy access to its users laptop cameras and microphones. The vulnerability, which allows attackers to initiate a video-enabled call on a Mac without user consent, was first reported by software engineer Jonathan Leitschuh yesterday. Leitschuh told BuzzFeed News that the attack also affects Windows users who have opened custom URLs from Zoom on Chrome browsers.
Leitschuh reported the vulnerability to Zoom in March. The company responded by releasing a fix for an unrelated flaw that would allow a hacker to trigger an endless loop of meeting requests. It left the video camera issue unaddressed.
In a blog post updated Tuesday afternoon, Zoom said it will release a patch for the vulnerability by July 11.
Earlier in the day, Zoom chief information security officer Richard Farley told BuzzFeed News that there have been no reports of the video camera access attack based on customer support records, but also admitted that “Meeting joins happen all the time. Millions a day. There isn’t really a way for us to look at the logs to determine whether that was an intentional join by the user or the user was phished into joining.”
“Zoom clearly had not considered malicious uses — or, worse, had disregarded them.”
Millions of people use Zoom’s corporate video conferencing apps. While the company no longer releases customer numbers, in a 2015 press release, it boasted that 40 million individuals had participated in Zoom meetings. The company’s clientele includes the Centers for Disease Control and Prevention, the US Department of Homeland Security, the US Department of Energy, Nasdaq, Uber, and Delta Air Lines. It is also widely used in schools (the company offers a product tailored for K–12 use). Farley told BuzzFeed News that this use case was not evaluated as a part of Zoom’s threat modeling.
Mac and Windows customers with the Zoom desktop app installed were affected by the flaw. Zoom enables its users to send a meeting link, and when that link is clicked, the Zoom app opens and the meeting is automatically joined. “One-click-to-join meetings … is our key product differentiator,” a Zoom spokesperson wrote in an emailed statement to BuzzFeed News — but it also left video cameras and microphones exposed to anyone who could exploit the feature.
Apple did not provide comment by the time of publication.
Here’s how the vulnerability could be exploited on Mac. When you first download the Zoom app, it asks if you want to leave your camera turned off for future meetings. The camera is turned on by default, and you need to specifically check the preference to turn the camera off. Because it’s video conferencing software, most people don’t check the checkbox. In fact, Zoom’s Farley said, “For the best user experience, we recommend that users do [have their camera turned on automatically when joining a meeting].” Additionally, meeting hosts can prefer that participants videos are on when they create meetings.
So, if your Zoom settings are set to video camera “on” for meetings and the meeting host set the participants’ video preference to “on,” then once you join a meeting, your laptop’s camera and microphone is automatically enabled, and the meeting host has access to it.
This video camera setting is problematic because of a flaw that can be exploited using a Zoom feature called Auto-Join.
Users can click a Zoom link to auto-join a meeting. Users can also, Leitschuh discovered, visit a website with what’s called an iframe embed hiding behind a malicious advertisement. Once the embed loads on the website, the Zoom app will launch and, depending on the settings of the user, give an attacker and any other participants in that meeting immediate access to the victim’s camera and microphone — without requiring a single click from the victim.
“Per their own statement, Zoom made a set of product decisions that intentionally prioritized use of their system over user choice,” security consultant Eleanor Saitta told BuzzFeed News.
“Zoom clearly had not considered malicious uses — or, worse, had disregarded them — when they decided to remove this choice from the user, and appear to consider Zoom use, and presumably their revenue growth, more important than surveillance of users,” Saitta added.
“No, that’s not a security concern.”
The iframe embed doesn’t require a user click because of a second application, referred to as a localhost web server, that is automatically installed alongside the Zoom Mac desktop app and runs constantly in the background. When the server detects the embed, it opens the Zoom application and auto-joins a meeting — with your camera and microphone turned on.
People using Google’s Chrome browser on Windows were also affected by the iframe embed vulnerability. If you’ve ever checked a dialog box to “Open Zoom Meetings” and “Always open these types of links in the associated app,” then you are also vulnerable to an embed forcing you to join a meeting without any extra prompt needed to do so.
“We consciously enabled the ability to have meeting joins initiated from within an iframe on a webpage,” said Farley, who also noted that the company is not disabling the capability after the security researcher’s findings. Asked whether it was a concern that such iframes require no click from the user to join a meeting, he replied, “No, that’s not a security concern.”
When Leitschuh first reported the vulnerability to Zoom, he classified its severity as an 8.5 out of 10. Following its own review, Zoom categorized it as a 3.1.
Zoom told BuzzFeed News it has no plans to add a dialogue window that would explicitly ask users if they intend to join a meeting after clicking an invite link.
In a statement, a Zoom spokesperson said the server was designed as a “workaround” to a security change in Safari 12, requiring users to accept launching Zoom before every meeting. Farley explained the change “resulted in what we believe was a poor user experience of having to do multiple clicks to join a Zoom meeting.”
Farley maintained that saving users a click is a good experience, but said, “What we failed to do is uninstall the server when they uninstalled the web client.”
Not only did Zoom allow attackers access to the video cameras of its Mac app users, but it also left its web server running in the background, even after the user uninstalled the Zoom app. BuzzFeed News also verified that the server also reinstalled the Zoom app when a meeting link was clicked, without notifying the user, if the Zoom app had been deleted from the machine.
Saitta criticized these behaviors, saying they are “not justifiable in these cases and come with significant risk.” She recommends that people remove Zoom from their systems and refrain from using the app until the company delivers a version without that always-on web server. “This is an excellent example of what my friend Deb Chachra calls ‘nonconsensual technology,’” she told BuzzFeed News. “It’s a sadly common attitude among tech companies that what the user wants can be ignored on a whim.”
What to Do About It
Go to Zoom settings > Video, and under Meetings, enable “Turn off my video when joining a meeting.”
Get rid of the Zoom desktop app entirely. If you want to get ahead of Zoom’s patch, which the company said will be released by midnight tonight, first you need to shut down the web server. Open the application called Terminal. Copy and paste this text: lsof -i :19421. Press enter. You’ll get a string of mumbo jumbo. Underneath the text “PID,” copy the string of numbers. Then type “kill -9” (without the quotes), add a space after -9, and paste the PID string of numbers. Press enter. The server has been killed.
Drag the Zoom app, along with a folder titled “.zoomus,” to the trash can. Then hover over the trash can, and press CONTROL and click your mouse simultaneously. Empty the trash can. Boom.
Chloe Cota contributed reporting to this story.
Jonathan Leitschuh’s name was misspelled in an earlier version of this post.